--- title: "FAQ: EU AI Act conformity assessment procedures and notified body selection" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies" author: "Sorena AI" description: "source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "Article 43" - "conformity assessment" - "notified bodies" - "Annex VI" - "Annex VII" - "high-risk AI" - "technical documentation" - "quality management system" - "EU declaration of conformity" - "CE marking" - "Article 49 registration" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # FAQ: EU AI Act conformity assessment procedures and notified body selection source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. *FAQ* *EU* ## EU AI Act Conformity Assessment and Notified Bodies Article 43 does not require every high-risk AI system to use a notified body. The route depends on whether the system is an Annex III point 1 system, an Annex III point 2-8 system, or an AI component of Annex I product legislation. Use this FAQ to map the assessment route, assemble the technical documentation and quality-management evidence, and connect the outcome to the EU declaration of conformity, CE marking, and Article 49 registration. EU AI Act conformity assessment is a pre-market or pre-service step for high-risk AI systems. Providers should first classify the system, then choose the Article 43 route: Annex VI internal control, Annex VII assessment with a notified body, or the conformity route required by applicable Annex I product legislation. ## When does Article 43 require a notified body? Article 43 uses different routes for different high-risk AI systems. For high-risk systems listed in point 1 of Annex III, the provider may use Annex VI internal control only when it demonstrates compliance by applying harmonised standards under Article 40 or, where applicable, common specifications under Article 41. For that same Annex III point 1 category, Annex VII notified-body assessment is required when harmonised standards and common specifications are not available, when the provider has not applied the relevant harmonised standard or has applied only part of it, when available common specifications have not been applied, or when a harmonised standard has been published with a restriction for the restricted part. For high-risk AI systems in points 2 to 8 of Annex III, Article 43 says providers follow Annex VI internal control, with no notified-body involvement. For high-risk AI systems covered by the Union harmonisation legislation listed in Section A of Annex I, the provider follows the conformity assessment required by that product law, and the AI Act Section 2 requirements become part of that assessment. - Start with the legal basis for high-risk classification: Annex III point 1, Annex III points 2-8, or Annex I Section A product legislation. - Record which harmonised standards or common specifications were applied in full, applied in part, unavailable, or published with restrictions. - Use Annex VII when Article 43 makes notified-body assessment mandatory for the route, not simply because the system is high risk. - Treat a substantial modification after an assessment as a trigger for a new conformity assessment unless the change was pre-determined in the initial technical documentation. Sources for this answer: - [Regulation (EU) 2024/1689 Article 43 conformity assessment](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for the Article 43 split between Annex VI internal control, Annex VII notified-body assessment, and Annex I product-law conformity routes. - [Regulation (EU) 2024/1689 Annex VI and Annex VII](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary annex text defining internal control and notified-body assessment of the quality management system and technical documentation. ## What evidence supports Annex VI internal control? Annex VI internal control is still a formal conformity assessment. The provider verifies that its quality management system complies with Article 17, examines the technical documentation to assess compliance with Chapter III Section 2 requirements, and verifies that design, development, and post-market monitoring are consistent with the technical documentation. The evidence should therefore be more than a checklist. Article 11 requires technical documentation to be drawn up before placing the high-risk AI system on the market or putting it into service, kept up to date, and written so competent authorities and notified bodies can assess compliance. Annex IV lists expected content, including intended purpose, system versions, development methods, data requirements, human oversight, validation and testing, cybersecurity, risk management, standards used, the EU declaration of conformity, and post-market monitoring. - Maintain Article 17 quality-management records covering regulatory strategy, design control, development, validation, standards, data management, risk management, post-market monitoring, serious-incident reporting, authority communications, record keeping, resources, and accountability. - Keep Article 11 and Annex IV technical documentation current with the system version, intended purpose, interfaces, data, testing, human oversight, cybersecurity, risk management, standards, declaration of conformity, and post-market monitoring plan. - Retain the Article 18 evidence set for 10 years after the high-risk AI system is placed on the market or put into service. - Link release gates to the provider duties in Article 16: conformity assessment, EU declaration of conformity, CE marking, and Article 49 registration before market placement or service. Sources for this answer: - [Regulation (EU) 2024/1689 Articles 11, 16, 17 and 18](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for technical documentation, provider release duties, quality-management system content, and 10-year documentation keeping. - [Regulation (EU) 2024/1689 Annex IV](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary annex listing the technical-documentation content used to show high-risk AI system conformity. - [ETSI White Paper 52 on AI activities and the EU AI Act](https://www.etsi.org/images/files/ETSIWhitePapers/ETSI-WP52-ETSI-activities-in-the-field-of-AI.pdf?ref=sorena.io) - Technical context explaining that conformity assessment can be third-party or internal-control based and focuses on technical documentation. ## What changes when Annex VII applies? Annex VII adds notified-body review of both the provider's quality management system and the technical documentation for the AI system. The provider's application includes provider identity, the AI systems covered by the same quality management system, technical documentation for each system, quality-management documentation covering Article 17, procedures to keep the system adequate and effective, and a declaration that the same application was not lodged with another notified body. The notified body examines whether the quality management system satisfies Article 17 and examines the technical documentation. Where needed, it may require further evidence or tests, carry out tests itself, and, after other reasonable means are insufficient, request access to training and trained models subject to applicable protection for intellectual property and trade secrets. If the system conforms, the notified body issues a Union technical documentation assessment certificate; if not, it refuses and gives reasons. After approval, Annex VII creates an ongoing change and surveillance track. Intended changes to the approved quality management system, the covered system list, or an AI system change that could affect compliance or intended purpose must be brought to the notified body. The notified body carries out surveillance of the approved quality management system, including periodic audits. - Prepare one package for the quality management system and one for the AI system technical documentation. - Do not lodge the same Annex VII application with multiple notified bodies at the same time. - Plan how the provider will supply further evidence, testing, data-set access, or model access if the notified body requests it within the limits of Annex VII. - Track certificate conditions, supplements, refusal reasons, surveillance audit reports, and notified-body change decisions as controlled release records. Sources for this answer: - [Regulation (EU) 2024/1689 Annex VII](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary annex for notified-body assessment of quality management systems, technical documentation, certificates, changes, and surveillance. - [Regulation (EU) 2024/1689 Articles 34 and 35](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text stating notified bodies verify conformity under Article 43 and that the Commission makes notified-body lists public. - [Single Market Compliance Space notified bodies by legislation](https://webgate.ec.europa.eu/single-market-compliance-space/notified-bodies/by-legislation?ref=sorena.io) - European Commission Single Market Compliance Space page for checking notified bodies by legislation. ## What happens after a successful assessment? The conformity assessment route should close into release evidence. Article 47 requires the provider to draw up a written, machine-readable, physical, or electronically signed EU declaration of conformity for each high-risk AI system, keep it available to national competent authorities for 10 years, identify the system, state conformity with the Section 2 requirements, include Annex V information, translate it for relevant national competent authorities, and keep it up to date. Article 48 requires CE marking for high-risk AI systems. For digital high-risk AI systems, a digital CE marking can be used only when it is easily accessible through the system interface or through an accessible machine-readable code or other electronic means. Where a notified body was responsible for the Article 43 conformity assessment, its identification number follows the CE marking and is also indicated in promotional material that mentions CE conformity. Article 49 registration is separate from CE marking and must be checked before release. Providers or authorised representatives register themselves and Annex III high-risk AI systems in the EU database before placing them on the market or putting them into service, except for point 2 of Annex III. Providers also register systems they concluded are not high risk under Article 6(3). Public authorities, Union institutions, bodies, offices, agencies, and persons acting on their behalf have deployer registration duties for covered Annex III systems before use. - Attach the Article 47 declaration to the system record and include Annex V content such as system identification, provider identity, responsibility statement, conformity statement, standards or common specifications, notified-body details where applicable, and signature information. - Confirm the CE mark location: interface, machine-readable code, packaging, or accompanying documentation, depending on the system form. - When a notified body was involved, include its identification number after the CE marking and in CE-conformity promotional material. - Submit and maintain Article 49 and Annex VIII registration information where the system or deployer falls within the registration rules. Sources for this answer: - [Regulation (EU) 2024/1689 Articles 47, 48 and 49](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for EU declarations of conformity, CE marking, notified-body identification numbers, and registration duties. - [Regulation (EU) 2024/1689 Annex V and Annex VIII](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary annex text for declaration content and registration information submitted under Article 49. - [AI Act Service Desk Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Official AI Act Service Desk article explaining Article 49 registration duties for providers and certain deployers. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act Official Journal text)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal source for Article 43 conformity assessment routes, Annex IV technical documentation, Annex V declarations, Annex VI internal control, Annex VII notified-body assessment, CE marking, and registration annexes. - Quote: "Conformity assessment" - [AI Act Service Desk Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Official AI Act Service Desk page summarising Article 49 registration before market placement, service, or covered deployer use. - Quote: "Registration" - [Single Market Compliance Space notified bodies by legislation](https://webgate.ec.europa.eu/single-market-compliance-space/notified-bodies/by-legislation?ref=sorena.io) - European Commission Single Market Compliance Space page for checking notified bodies by legislation and related notified-body listings. - Quote: "Notified Bodies" - [ETSI White Paper 52 on AI activities and the EU AI Act](https://www.etsi.org/images/files/ETSIWhitePapers/ETSI-WP52-ETSI-activities-in-the-field-of-AI.pdf?ref=sorena.io) - Technical standards context for conformity assessment, quality-management evidence, testing, and technical documentation for AI-enabled systems. - Quote: "technical documentation" ## Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. *Recommended next step* *Placement: before sources* ## Map Article 43 to your product evidence Sorena can help convert the Article 43 route, Annex VI or Annex VII evidence, EU declaration, CE marking, and Article 49 registration checks into a cited workflow for high-risk AI releases. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about conformity assessment routes, notified-body triggers, technical documentation, declarations, CE marking, and registration. - [Talk through implementation](/contact.md): Review your high-risk AI assessment route, evidence gaps, and release approval steps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies